CRITICAL🇵🇱 Wersja polska

CVE-2026-8401

CVSS 9.8pub. 2026-05-12upd. 2026-06-30

Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.

🤖 AI Analysis
How it works

The error classified as CWE-693 (Protection Mechanism Failure) indicates the ineffectiveness of the protection mechanism — in this case the sandbox. An attacker can exploit the vulnerability in the Profile Backup component to escape from the restricted browser execution environment. The attack can be conducted remotely, without authentication and without any user interaction, which makes it particularly dangerous.

Impact

Successful exploitation of the vulnerability allows an attacker to escape from the browser sandbox, which may lead to obtaining unauthorized access to the operating system, violating data confidentiality and integrity, and destabilizing system operation.

Mitigation & patch

The software must be immediately updated to Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11 or Thunderbird 140.11, in which the vulnerability has been patched by the vendor.

Who is affected

Mozilla Firefox in versions before 150.0.3, Mozilla Firefox ESR in versions before 115.36 and before 140.11, Mozilla Thunderbird in versions before 140.11.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 150.0.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...